ICO consultation on the draft updated data 
sharing code of practice 


Qi Does the updated code adequately explain and advise on the new aspects of 
data protection legislation which are relevant to data sharing? 


© Yes 


J) No 


Q2 If not, please specify where improvements could be made. 
n/a 


Q3 Does the draft code cover the right issues about data sharing? 


© Yes 


No 


Q4 If no, what other issues would you like to be covered in it? 
n/a 


Q5 Does the draft code contain the right level of detail? 


© Yes 


No 


Q6__siIf no, in what areas should there be more detail within the draft code? 
n/a 


Q7 Has the draft code sufficiently addressed new areas or developments in data 
protection that are having an impact on your organisation’s data sharing 
practices? 


Yes 


© No 


Q8 


If no, please specify what areas are not being addressed, or not being 
addressed in enough detail. 


We welcome the Commissioner’s Code of Practice around Data Sharing as a valuable tool in assisting 
us as controllers in fulfilling our obligations under data protection law, which will in turn assure our 
clients, employees and those we do business with, of our ongoing commitment to this by demonstrating 
trust, respect and progressive advancement in all our engagements. Within the Code we particularly 
wish for you to note our comments on the data ethics element raised. Data Ethics - Definition It would 
be helpful if we could have a clear direction on what is meant by ethics/data ethics. Definitions needed 
include ‘ethical stance’. The generic definition of ethics as being ‘right and wrong’ is too broad to know 
where the parameters of data ethics lie. What one deems as ‘right’ may be deemed elsewhere as 
‘wrong’. We would welcome a definition of this terminology within the field of data privacy and 
protection; possibly a type of ‘risk’ barometer methodology for measuring the gravity and/or level of 
potentially processing data unethically, in the same way we assess the need of a Data Protection Impact 
Assessment (DPIA) where there is high risk to data subjects. Data Ethics - Principles Along similar 
lines does the ICO plan to outline ethical principles — you state ‘ethical principles...are complimentary to 
data protection principles’ — which are not covered by the GDPR principles we already have (lawful, 
fairness and transparency/purpose limitation/data minimisation/ accuracy/storage limitation/integrity and 
confidentiality/accountability). What do ethical principles look like? Data Ethics - Committee Ethics 
committees are common place and longstanding within the NHS and research institutes. Indeed the 
National Statistician’s Data Ethics Advisory Committee (NSDEC) often gives advice to other 
organisations including the Police on how to set up an ethics review committee. We are interested in 
knowing whether the ICO would consider supporting UK controllers (either directly or through industry 
bodies) to navigate through data ethics in a similar way? With the ICO advising, not only on how to set 
up local committees and their memorandum of understandings, but also, to be available to controllers for 
consultation when there remains a high risk to data subjects from ethical factors, even after the 
controllers have undertaken the mitigation of risks. Data Ethics - Governance With regards to data 
ethics governance, we are aware of the ICO’s comments on the European Commission’s (EU) draft 
paper on Ethics where, in particular, the EU paper goes onto say that ‘an internal and external (ethical) 
expert is advised to accompany the design, development and deployment of Al. Such expert could also 
raise further awareness of the unique ethical issues that may arise in the coming years’. The ICO’s 
published response to the above EU guidance was ‘Some organisations deploying Al will have limited 
resources and the guidelines should present an approach which is scalable to their needs. This 
statement could therefore perhaps be qualified with a phrase such as ‘wherever practicable’. Can the 
ICO advise what methodologies, if any, the ICO intend to put in place to assess the ethical use of 
personal data? For example, within controller organisations, to promote the latter and facilitate an 
ethical environment, will the Data Protection Officer be expected to monitor ethical use of data and 
escalate concerns to the highest level of management in the organisation? To assist organisations in 
working ethically and promoting this concept as a natural part of the considerations to be made when 
processing personal data, would the ICO, as our Regulator, consider the development of building an 
ethics framework for use by controllers based on core value principles? This would be similar to what 
the UK government has compiled for use by public authorities when considering the ethics of processing 
of personal data and could take the shape of the model the ICO created around advice and guidance for 
DPIAs. This would be a useful tool in identifying where potential questions around the ethics of data 
processing could arise? What possible concerns could there be and how these would be addressed? 
Thus demonstrating a controller’s fulfilment of their accountability obligation under Article 5(2) of the 
GDPR. Indeed, we hope research the ICO are currently undertaking around Al may provide a steer 
around the question of ethics. Data Ethics — Technology providers vs. users Finally we seek clarity on 
where the ethical responsibility lies within a relationship involving the technology providers of Al 
alongside the users of those tools. Specific areas we welcome clarification on include whether the 
technology providers will be expected to embed data ethical compliance in line with data privacy by 
design and default and if the onus of responsibility lies more with users of technology (data controllers) 
vs technology providers (data processors)? 


Q9 Does the draft code provide enough clarity on good practice in data sharing? 


© Yes 


No 


Q10 If no, please indicate the section(s) of the draft code which could be improved, 
and what can be done to make the section(s) clearer. 


n/a 


Qiii Does the draft code strike the right balance between recognising the benefits of 
sharing data and the need to protect it? 


© Yes 


No 


Q12 If no, in what way does the draft code fail to strike this balance? 
n/a 


Q13 Does the draft code cover case studies or data sharing scenarios relevant to 
your organisation? 


Yes 


© No 


Q14 Please provide any further comments or suggestions you may have about the 
draft code. 


ICO’s guidance on ‘Due Diligence when sharing data following mergers and acquisitions’ is 
prescriptive in nature and alerts to number of steps Controllers must undertake before and 
post M&As. In similar vein, we would welcome ICO’s guidance on data sharing whilst 
undertaking ‘Insolvency’ and ‘business recovery’ work. 


Q15 To what extent do you agree that the draft code is clear and easy to 
understand? 


Strongly agree 
© Agree 
Neither agree nor disagree 
Disagree 
Strongly disagree 


Q16 Are you answering as: 


An individual acting in a private capacity (e.g. someone providing their 
views as a member of the public of the public) 


An individual acting in a professional capacity 
© On behalf of an organisation 
Other 


Q17 Please specify 
Q18 Please specify 
KPMG LLP 


Q19 Please specify 


Thank you for taking the time to share your views and experience. 


